-
Notifications
You must be signed in to change notification settings - Fork 17
/
scanner.c
110 lines (83 loc) · 2.63 KB
/
scanner.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/* cSploit - a simple penetration testing suite
* Copyright (C) 2014 Massimo Dragano aka tux_mind <[email protected]>
*
* cSploit is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* cSploit is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with cSploit. If not, see <http://www.gnu.org/licenses/>.
*/
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdint.h>
#include <unistd.h>
#include <math.h>
#include <csploit/logger.h>
#include "netdefs.h"
#include "prober.h"
#include "ifinfo.h"
#include "host.h"
#include "scanner.h"
struct private_network {
uint32_t subnet;
uint8_t prefix_sz;
};
static struct private_network private_networks[] = {
{ 0xC0A80000, 16 }, // 192.168.0.0/16
{ 0xAC100000, 12 }, // 172.16.0.0/12
{ 0x0A000000, 8 } // 10.0.0.0/8
};
/**
* @brief perform a full scan sending a NBSTAT request to all possible hosts
*
* does not scan hosts on local subnet
*/
void full_scan() {
uint32_t i, n, broadcast, ip;
useconds_t delay;
if(prober_info.nbns_sockfd == -1) return;
i = PRIVATE_NETWORKS_HOSTS;
for(n=0;n<32 && !((ifinfo.ip_mask >> n) & 1); n++);
i-= pow(2, n) - 2;
delay = (FULL_SCAN_MS * 1000) / i;
print( DEBUG, "delay is %u us", delay);
for(n=0;n<3 && hosts.control.active;n++) {
i = private_networks[n].subnet + 1;
broadcast = i | (0xFFFFFF >> private_networks[n].prefix_sz);
while(i<broadcast && hosts.control.active) {
ip = htonl(i);
if((ip & ifinfo.ip_mask) != ifinfo.ip_subnet) {
begin_nbns_lookup(ip);
usleep(delay);
} else {
// skip local network
i = ifinfo.ip_broadcast;
}
i++;
}
}
}
/**
* @brief perform a quick scan sending ARP requests to all hosts of our subnet
*/
void local_scan() {
uint32_t i, broadcast;
useconds_t delay;
if(prober_info.nbns_sockfd == -1) return;
i = ntohl(ifinfo.ip_addr & ifinfo.ip_mask) + 1;
broadcast = ntohl(ifinfo.ip_broadcast);
delay = (LOCAL_SCAN_MS * 1000) / (broadcast - i);
print( DEBUG, "delay is %u us", delay);
for(;i<broadcast && hosts.control.active;i++) {
begin_arp_lookup(htonl(i));
usleep(delay);
}
}